Why does it always take a catastrophe before companies take security seriously?

Every cybersecurity meme of 2026 is some variant of "it took the breach to fund the fix." If you're inside an org that finally got a real security budget after an incident — what was the inflection point and is the funding still there a year later?